OpenVPN连接正常,但不能上网
OpenVPN连接正常,但不能上网
提问于 2019-11-15 09:27:46
我正在学习使用OpenVPN,我用OpenVPN (主机提供商提供的默认安装)购买了一个VPS。
当我配置我的客户端连接到服务器时,我注意到连接已经建立,但我无法浏览。
它假定安装已经准备就绪。也许某些网络配置是错误的,但我找不到错误。
1.服务器设置
1.1基本配置
1.2VPN设置
1.3网络
as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.128
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
as0t1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.129 P-t-P:10.0.0.129 Mask:255.255.255.128
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:51.xx.xx.xxx Bcast:51.xx.xx.xxx Mask:255.255.255.255
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83862 errors:0 dropped:0 overruns:0 frame:0
TX packets:84251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8108403 (7.7 MiB) TX bytes:11762035 (11.2 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:276 errors:0 dropped:0 overruns:0 frame:0
TX packets:276 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:61294 (59.8 KiB) TX bytes:61294 (59.8 KiB)1.4 iptables
增加了以下规则:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE返回iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere xxx.ip-xx-xx-xx.eu state NEW udp dpt:openvpn
AS0_ACCEPT tcp -- anywhere xxx.ip-xx-xx-xx.eu state NEW tcp dpt:https
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere xxx.ip-xx-xx-xx.eu state NEW tcp dpt:943
Chain FORWARD (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
Chain AS0_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_IN (4 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.0.1
all -- default anywhere
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.0.0/24
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_IN all -- anywhere link-local/16
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_U_OPENVPN_IN (0 references)
target prot opt source destination
AS0_IN_NAT all -- anywhere 172.27.224.0/20
AS0_IN_POST all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere返回iptables -t nat -nL:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
AS0_NAT_PRE_REL_EST all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
AS0_NAT_POST_REL_EST all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
AS0_NAT_PRE all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x2000000/0x2000000
MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
Chain AS0_NAT (3 references)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:51.xx.xx.xxx
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain AS0_NAT_POST_REL_EST (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain AS0_NAT_PRE (1 references)
target prot opt source destination
AS0_NAT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x8000000/0x8000000
AS0_NAT_TEST all -- 0.0.0.0/0 169.254.0.0/16
AS0_NAT_TEST all -- 0.0.0.0/0 192.168.0.0/16
AS0_NAT_TEST all -- 0.0.0.0/0 172.16.0.0/12
AS0_NAT_TEST all -- 0.0.0.0/0 10.0.0.0/8
AS0_NAT all -- 0.0.0.0/0 0.0.0.0/0
Chain AS0_NAT_PRE_REL_EST (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain AS0_NAT_TEST (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x4000000/0x4000000
ACCEPT all -- 0.0.0.0/0 10.0.0.0/24
AS0_NAT all -- 0.0.0.0/0 0.0.0.0/01.5附加配置
对/etc/sysctl.conf进行了编辑,删除了以下行的注释:
net.ipv4.ip_forward=1返回sysctl net.ipv4.ip_forward:
net.ipv4.ip_forward = 12.客户端设置
当我连接到VPN时,客户端具有以下配置:
IPv6: fe80::159:2b87:b731:8337%6
IPv4: 10.0.0.130
Mask: 255.255.255.128
Gateway: 10.0.0.129回答 1
Server Fault用户
发布于 2019-11-15 13:57:43
查看您的VPN设置,我们可以看到网络地址设置为172.27.224.0/20
查看组默认IP地址网络设置,可以使用172.27.240.0/20
您确实添加了一个iptables规则,该规则将NAT从172.27.240.0/20中导出。
然而,您的客户连接为172.27.232.1/21。因此,它的流量不是您的NAT规则的亚喷气式飞机。
要么更改NAT规则,包括172.27.240/20和172.27.224/20,要么删除组默认IP地址网络设置/仅NAT 172.27.224/20。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/991965
复制相关文章
相似问题
腾讯云开发者
